[{"id":3677093,"web_url":"http://patchwork.ozlabs.org/comment/3677093/","msgid":"<da61bc75-3c2e-a5d1-1448-2386b12c84a6@eik.bme.hu>","list_archive_url":null,"date":"2026-04-14T09:29:54","subject":"Re: [PATCH] ati-vga: fix unsigned integer overflow in cursor bounds\n checks","submitter":{"id":16148,"url":"http://patchwork.ozlabs.org/api/people/16148/","name":"BALATON Zoltan","email":"balaton@eik.bme.hu"},"content":"On Tue, 14 Apr 2026, Junjie Cao wrote:\n> The cursor bounds checks compare (srcoff + N) against vram_size, but\n> both sides are uint32_t so the addition can wrap past UINT32_MAX when\n> srcoff underflows from the cur_hv_offs subtraction, causing the check\n> to be bypassed.\n>\n> Rewrite the checks as (srcoff > vram_size - N) to avoid the\n> overflow-prone addition, matching the style already used in\n> ati_mm_read() and ati_mm_write().\n>\n> Fixes: 2f1fbe6ee9b5 (\"ati-vga: Make sure hardware cursor data is within vram\")\n> Cc: qemu-stable@nongnu.org\n> Signed-off-by: Junjie Cao <junjie.cao@intel.com>\n> ---\n> Found while running local QEMU fuzz testing.\n>\n> hw/display/ati.c | 4 ++--\n> 1 file changed, 2 insertions(+), 2 deletions(-)\n>\n> diff --git a/hw/display/ati.c b/hw/display/ati.c\n> index 88a5bbbf07..0489995d00 100644\n> --- a/hw/display/ati.c\n> +++ b/hw/display/ati.c\n> @@ -149,7 +149,7 @@ static void ati_cursor_define(ATIVGAState *s)\n>     /* FIXME handle cur_hv_offs correctly */\n>     srcoff = s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -\n>              (s->regs.cur_hv_offs & 0xffff) * 16;\n> -    if (srcoff + 64 * 16 > s->vga.vram_size) {\n> +    if (srcoff > s->vga.vram_size - 64 * 16) {\n>         return;\n>     }\n>     for (int i = 0; i < 64; i++, srcoff += 16) {\n> @@ -206,7 +206,7 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)\n>     }\n>     /* FIXME handle cur_hv_offs correctly */\n>     srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;\n> -    if (srcoff + 16 > s->vga.vram_size) {\n> +    if (srcoff > s->vga.vram_size - 16) {\n>         return;\n>     }\n>     dp = &dp[vga->hw_cursor_x];\n\nConsidering that actual cursor offset is in bits 0-26 this should not \nhappen but bit 31 is the lock bit that erroneously counted into offset \nhere. So additionally we should also mask that out using \n(s->regs.cur_offset & 0x07fffff0) in calculation of scroff. There's one \nmore similar usage in ati_cursor_invalidate. Otherwise,\n\nReviewed-by; BALATON Zoltan <balaton@eik.bme.hu>\n\nRegards,\nBALATON Zoltan","headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":"legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)","Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvzXn65RXz1yDF\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2026 19:30:48 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wCa6B-0004ca-Me; Tue, 14 Apr 2026 05:30:23 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <balaton@eik.bme.hu>)\n id 1wCa66-0004aY-DP; Tue, 14 Apr 2026 05:30:21 -0400","from zero.eik.bme.hu ([2001:738:2001:2001::2001])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <balaton@eik.bme.hu>)\n id 1wCa5r-00058t-1g; Tue, 14 Apr 2026 05:30:15 -0400","from localhost (localhost [127.0.0.1])\n by zero.eik.bme.hu (Postfix) with ESMTP id 7EDFC596A3F;\n Tue, 14 Apr 2026 11:29:56 +0200 (CEST)","from zero.eik.bme.hu ([127.0.0.1])\n by localhost (zero.eik.bme.hu [127.0.0.1]) (amavis, port 10028) with ESMTP\n id CPoE8eDoo1Po; Tue, 14 Apr 2026 11:29:54 +0200 (CEST)","by zero.eik.bme.hu (Postfix, from userid 432)\n id 676B0596A2E; Tue, 14 Apr 2026 11:29:54 +0200 (CEST)","from localhost (localhost [127.0.0.1])\n by zero.eik.bme.hu (Postfix) with ESMTP id 65997596A23;\n Tue, 14 Apr 2026 11:29:54 +0200 (CEST)"],"X-Virus-Scanned":"amavis at eik.bme.hu","Date":"Tue, 14 Apr 2026 11:29:54 +0200 (CEST)","From":"BALATON Zoltan <balaton@eik.bme.hu>","To":"Junjie Cao <junjie.cao@intel.com>","cc":"qemu-devel@nongnu.org, Chad Jablonski <chad@jablonski.xyz>,\n\t=?iso-8859-15?q?Philippe_Mathieu-Daud=E9?= <philmd@linaro.org>,\n  qemu-stable@nongnu.org","Subject":"Re: [PATCH] ati-vga: fix unsigned integer overflow in cursor bounds\n checks","In-Reply-To":"<20260414141458.1076014-1-junjie.cao@intel.com>","Message-ID":"<da61bc75-3c2e-a5d1-1448-2386b12c84a6@eik.bme.hu>","References":"<20260414141458.1076014-1-junjie.cao@intel.com>","MIME-Version":"1.0","Content-Type":"text/plain; format=flowed; charset=US-ASCII","Received-SPF":"pass client-ip=2001:738:2001:2001::2001;\n envelope-from=balaton@eik.bme.hu; helo=zero.eik.bme.hu","X-Spam_score_int":"-18","X-Spam_score":"-1.9","X-Spam_bar":"-","X-Spam_report":"(-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_PASS=-0.001,\n T_SPF_HELO_TEMPERROR=0.01 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}},{"id":3677192,"web_url":"http://patchwork.ozlabs.org/comment/3677192/","msgid":"<20260414210821.1122197-1-junjie.cao@intel.com>","list_archive_url":null,"date":"2026-04-14T21:08:21","subject":"Re: [PATCH] ati-vga: fix unsigned integer overflow in cursor bounds\n checks","submitter":{"id":91537,"url":"http://patchwork.ozlabs.org/api/people/91537/","name":"Junjie Cao","email":"junjie.cao@intel.com"},"content":"Thanks for the quick review and the suggestion.\n\nI'll send a v2 series quickly, also collecting the Reviewed-by along\nthe way (there was a semicolon in the tag, which might have kept it\nfrom being automatically collected). Sorry for the churn, Philippe.","headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=eyy0salJ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fw4Kg5xn4z1yHH\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2026 23:06:31 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wCdST-0004HE-G7; Tue, 14 Apr 2026 09:05:37 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <junjie.cao@intel.com>)\n id 1wCdSQ-0004Go-Hm; Tue, 14 Apr 2026 09:05:34 -0400","from mgamail.intel.com ([198.175.65.11])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <junjie.cao@intel.com>)\n id 1wCdSN-0004JY-S4; Tue, 14 Apr 2026 09:05:34 -0400","from orviesa005.jf.intel.com ([10.64.159.145])\n by orvoesa103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 14 Apr 2026 06:05:27 -0700","from junjie-optiplex-micro-plus-7010.bj.intel.com ([10.238.152.98])\n by orviesa005-auth.jf.intel.com with\n ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Apr 2026 06:05:25 -0700"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1776171931; x=1807707931;\n h=from:to:cc:subject:date:message-id:in-reply-to:\n references:mime-version:content-transfer-encoding;\n bh=rwkmF3emdRnrK2XRjdLI3LCe0dEgU+D1Ab7DnNqUVLQ=;\n b=eyy0salJElnT2XoqD8NohfQD1/wRdCQeYpDB3FhIo6FdSRfQdeWvhLLr\n 83TM8eDag9Ge2LkgmXv0zdmjQqjJF7dtXvUrNRLjgC3+XIw65lajR1R4e\n Ogsl6Zpkw6KH+lk3IX4QbTTEDgkAb8pSP6Px1SxWT9kKO3yDkNqBkunLw\n 9wA1YFwfkWIFSU389uDyyPM/FP/jX8h0squ2yrXLExBPjRUUSlwC7LnkU\n M+aafM9VJEWj1kHV0FYmkWVSjsVBknFPkr1/xmeiuoQv+vSU8h68zT+mR\n EarWBfKMnrlyplFPeZycCJGLzlZPR18fAyauLVRak7MtboOmIYdq95tAp A==;","X-CSE-ConnectionGUID":["evrgAEINQw2eNq0jAIIwZw==","tOV9RmzMSvecvsDtQ8XWpQ=="],"X-CSE-MsgGUID":["vJekZdI1SN+kIewy2Lj0zg==","c9GhDTwoRUSFfHCCcEHQQg=="],"X-IronPort-AV":["E=McAfee;i=\"6800,10657,11759\"; a=\"87432992\"","E=Sophos;i=\"6.23,179,1770624000\"; d=\"scan'208\";a=\"87432992\"","E=Sophos;i=\"6.23,179,1770624000\"; d=\"scan'208\";a=\"235048642\""],"X-ExtLoop1":"1","From":"Junjie Cao <junjie.cao@intel.com>","To":"BALATON Zoltan <balaton@eik.bme.hu>","Cc":"qemu-devel@nongnu.org,\n =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,\n Chad Jablonski <chad@jablonski.xyz>, qemu-stable@nongnu.org,\n junjie.cao@intel.com","Subject":"Re: [PATCH] ati-vga: fix unsigned integer overflow in cursor bounds\n checks","Date":"Wed, 15 Apr 2026 05:08:21 +0800","Message-ID":"<20260414210821.1122197-1-junjie.cao@intel.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<da61bc75-3c2e-a5d1-1448-2386b12c84a6@eik.bme.hu>","References":"<20260414141458.1076014-1-junjie.cao@intel.com>\n <da61bc75-3c2e-a5d1-1448-2386b12c84a6@eik.bme.hu>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=198.175.65.11;\n envelope-from=junjie.cao@intel.com;\n helo=mgamail.intel.com","X-Spam_score_int":"-29","X-Spam_score":"-3.0","X-Spam_bar":"---","X-Spam_report":"(-3.0 / 5.0 requ) BAYES_00=-1.9, DATE_IN_FUTURE_06_12=1.947,\n DKIMWL_WL_HIGH=-0.54, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,\n DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}}]